Software composition analysis helps keep Industrial IoT secure

Jeff Luszcz, Vice President of Product Management at Flexera, explains how analysis of software open source components can help combat IIoT cyber crime.

The recent botnets, involving networked security cameras, has shone a light on the vulnerability concerns around Industrial Systems and the Industrial IoT (IIoT). These types of devices have characteristics that make them a compelling target for botnet authors, as well as other types of malware. These devices typically have full-time, high-speed network connections, run embedded Linux and lack monitoring systems and screens or logs that might alert a user to a hack. Additionally, many of these systems are designed for limited roll-out, or come from a company who has paid limited attention to hardening or security. This combination of powerful networked systems with easy ability to be breached allows for botnets to thrive. In the last few years, malware such as Mirai and Bashlite have taken advantage of vulnerabilities in these IoT devices and these weaknesses should be kept in mind as the industry designs the next-generation of IoT and IIoT devices.

The typical embedded Linux system uses dozens to hundreds of open source packages. While these components are typically high quality, all software contains defects and over time vulnerabilities in these components are discovered and eventually taken advantage of.

Many of these devices are not designed to be auto-updated, and depend on software from commercial and open source organisations that have vulnerabilities discovered every few weeks to every few months.

Software Bill of Materials

It is becoming a best practice to pay attention to a device’s Software Bill of Materials, with special attention to components with known vulnerabilities as seen in places such as the National Vulnerability Database. By keeping track of the list of components used in the operating system as well as the application itself, a company can stay ahead of malware authors – especially if they have a rigorous patching system in place.

The irony is that sometimes update systems can be used by malware authors to spread their malware. This occurs when secrets, such as hard-coded passwords, are shared across multiple devices or device families. Many current malware systems use this trivial vulnerability to spread themselves, but as this vector gets locked down, many are moving to taking advantage of common vulnerabilities – such as those seen in OpenSSL, Bash – or shared commercial firmware – as seen in DVRs or camera boards.

Today, products and services are available that are designed to help IIoT system designers keep track of their use of open source and commercial dependencies, as well as get alerts when new vulnerabilities are discovered in the components they are using. This allows them to create products that do not contain known vulnerabilities when first shipped, and to stay on top of components as they age out when deployed in the field. This type of scanning and management software is known as Software Composition Analysis (SCA) software.

Such software contains scanning and workflow features designed to help technology companies discover, manage, upgrade and comply with their use of open source components. By scanning and comparing the files used on the devices to a database of billions of known open source files, the system is able to discover usage of third-party components for the purposes of vulnerability management as well as open source licence compliance. Managing these requirements allows a developer to ship a device that respects the open-source community, as well as protects the company’s users from attacks.